I regularly test asp.net websites which appear to be hosted on upto date (patched) web servers. The only bypass i have found is <~/XSS/*-*/STYLE=xss:e/**/xpression(alert('XSS')) but doesnt appear to work anymore! Reading the whitepaper from Procheckup they had the following test environment: